Sunday, March 27, 2016

Still continuing this journey looking into learning about Mimikatz,
SkeletonKey,Dumping NTDS.dit and Kerberos with Metasploit, the focus of
this post allows me to get a better understanding of how I may be able
to use the mimikatz tool.

When I performed this task within meterpreter, for whatever reason I was not successful. However, when I did on Windows I was ;-)

So here we go.First up, I loaded mimikatz and verified that I was good to go.

Looks good!

Let's see what certificates are immediately available for the user.So we have a certificate for administrator and its key is exportable too.

Let's export!

So Mimikatz claims it exported the public key as a .der file and the private key as a .pfx file.

Let's verify this is so!I Guess Mimikatz did not lie :-)

Let's add this to our personal store.

The password for the private key is "mimikatz".

Once the password is accepted we can complete the installation as shown below.

Let's now verify this is in our personal store.

Verify the thumbprint!

So we have the certificate installed and we have its private key.

What next should we do?

Let's make "Administrator" a recovery agent for the local user EFS encrypted file as we see below "Administrator" has "File Recovery" as one of its intended purposes.So I created a file named "EFS Testing" and encrypted it with EFS as shown below. We can see the "Recovery Certificate" belongs to "SECURITYNIK\Administrator". This certificate came from the logged in administrator of the domain. Additionally, by looking at the Certificate Thumbprint, we know that this is the certificate we imported above.So that's it for me on this post. Now that you have both the public and private key you can decide on what level of badness or goodness you would like to perform. Let your imagination run wild!

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis